To continue on the earlier entry regarding Advanced Persistent Threats, some interesting information has come out recently about the successful attack earlier this year on RSA, the Security Division of EMC. Apparently, the massive data theft began with a relatively simple phishing email sent to an EMC employee. The email contained an Excel spreadsheet that was booby-trapped with a malicious object, which then exploited a zero-day vulnerability in Adobe Flash to install a backdoor on the system.
What can we learn from this? Well, for one, it excuses RSA to some degree, since the zero-day flaw couldn’t have been patched at the time. It also highlights, yet again, the importance of user training and a sound IT Security Policy. What if this user had been trained on how to recognize a suspicious email? Maybe the attack would have happened, if not from this user than from another, but maybe it wouldn't. The attack used complex vectors, but was not in and of itself a complex attack. As is often the case, training the staff on detecting phishing threats and thwarting social engineering attacks would have gone a long way toward mitigating this threat. RSA isn't alone in this regard - users will continue to be the weak spot in any organization's security.
This entry was based on information found in the following, excellent articles:
If you don't yet have an IT Security Policy, or would like to update the one you do have, a great site to visit is InstantSecurityPolicy.com, which uses a wizard to customize security policies to your company's needs. A comprehensive policy, plus user training how to spot threats and use the Internet safely, will go along way in mitigating these inherent risks.
